Based on an extensive review of publicly reported internet of things (IoT) device vulnerabilities, the Online Trust Alliance (OTA) today announced that all of the problems could have been easily avoided.
"In this rush to bring connected devices to market, security and privacy is often being overlooked," Craig Spiezle, executive director and president of the OTA, said in a statement today. "If businesses do not make a systematic change, we risk seeing the weaponization of these devices and an erosion of consumer confidence impacting the IoT industry on a whole due to their security and privacy shortcomings."
If only they had listened ...
The OTA, a nonprofit group comprised of academics and representatives from the public and private sector, is dedicated to developing and advocating best practices and policy concerning security and privacy. Researchers from the OTA recently analyzed publicly reported vulnerabilities for consumer connected home and wearable technology products from November 2015 through July 2016. They found that in each case, if device manufacturers and developers had implemented the security and privacy principles outlined in the OTA IoT Trust Framework, the vulnerabilities would not have occurred.
"Security starts from product development through launch and beyond, but during our observations we found that an alarming number of IoT devices failed to anticipate the need of ongoing product support," Spiezle said. "Devices with inadequate security patching systems further opens the door to threats impacting the safety of consumers and businesses alike."
Most glaring security flaws
OTA revealed its findings today at the American Bar Association's 2016 Business Law Section Annual meeting in Boston.
OTA said the most glaring failures it found were attributed to the following causes:
- Insecure credential management, including making administrative controls open and discoverable
- Not adequately and accurately disclosing consumer data collection and sharing policies and practices
- The omission or lack of rigorous security testing throughout the development process, including but not limited to penetration testing and threat modeling
- The lack of a discoverable process or capability to responsibly report observed vulnerabilities
- Insecure or no network pairing control options (device to device or device to networks)
- Not testing for common code injection exploits
- The lack of transport security and encrypted storage including unencrypted data transmission of personal and sensitive information including but not limited to user ID and passwords
- Lacking a sustainable and supportable plan to address vulnerabilities through the product lifecycle, including the lack of software/firmware update capabilities and/or insecure and untested security patches/updates
"The Online Trust Alliance's IoT Trust Framework includes valuable principles that companies should embrace to make sure consumer smart home technology is secure, private and sustainable for the future," Tom Salomone, president of the National Association of Realtors (NAR) and broker-owner of Real Estate II in Coral Springs, Fla., said in a statement today. "Device vulnerabilities need to be understood and addressed in order to protect what is near and dear to anyone using smart and connected device technology in their home."
[ Related: White-hat hackers key to securing connected cars ]
The OTA's Trust IoT Framework is a global, multi-stakeholder effort to address IoT risks comprehensively. The OTA began developing the framework in February 2015 based on the feedback of nearly 100 organizations, including ADT, American Greetings, Device Authority, Malwarebytes, Microsoft, NAR, Symantec, consumer and privacy advocates, international testing organizations, academic institutions and U.S. government and law enforcement agencies. The framework includes a baseline of 31 measurable principles that OTA says device manufacturers, developers and policy makers should follow to maximize the security and privacy of the devices and data collected for smart homes and wearable technologies.